Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Inquiry]: How to grant access to NUL device within AppContainer #73

Open
wfjsw opened this issue Jun 13, 2024 · 2 comments
Open

[Inquiry]: How to grant access to NUL device within AppContainer #73

wfjsw opened this issue Jun 13, 2024 · 2 comments
Labels
inquiry Questions about the product

Comments

@wfjsw
Copy link

wfjsw commented Jun 13, 2024

Description

I am trying to get a sandbox running with currently available AppContainer primitives. When running applications inside the AppContainer, I noticed that it is impossible to write to NUL device:

D:\>echo a > NUL
Access is denied.
Traceback (most recent call last):
  File "D:\ComfyUI\env\lib\site-packages\dill\_dill.py", line 156, in get_file_type
    f = open(os.devnull, *args, **kwargs)
PermissionError: [Errno 13] Permission denied: 'nul'

What ACL / capabilities should I adjust to fix this?
@wfjsw wfjsw added the inquiry Questions about the product label Jun 13, 2024
@cchavez-msft
Copy link
Contributor

Hi, @wfjsw

Thank you so much for opening this issue. We currently don't have a way to fix this. Nevertheless, to better assist you, may I please ask for more details to better understand the scenario? Like what is the purpose of doing this? Please let us know.

@wfjsw
Copy link
Author

wfjsw commented Jul 8, 2024

I want to run some Python application and Git binary inside a AppContainer, and they frequently use NUL as a replacement for /dev/null. Permission wise this seems to be overlooked, and I'm not exactly sure why they need this exact thing, but they are pretty required everywhere.

Anyway, I figured out a way to grant access to ALL APPLICATION PACKAGES to NUL with elevated process:

var strAllAppPackage = "ALL APPLICATION PACKAGES\0";

var status = Pinvoke.GetNamedSecurityInfo(
    "\\\\.\\NUL", SeObjectType.FileObject,
    SecurityInformation.Dacl,
    out _, out _,
    out var oldAcl, out _,
    out var secDesc);
if (status != 0) {
    throw new InvalidOperationException($"Failed to get security info: {status}");
}

IntPtr newAcl;
unsafe {
    fixed (char* strAllAppPackagePtr = strAllAppPackage) {
        var explicitAccess = new ExplicitAccess {
            grfAccessPermissions = AccessMask.GenericRead | AccessMask.GenericWrite,
            grfAccessMode = AccessMode.Grant,
            grfInheritance = InheritanceType.NoInheritance,
            Trustee = new Trustee {
                pMultipleTrustee = IntPtr.Zero,
                MultipleTrusteeOperation = MultipleTrusteeOperation.NoMultipleTrustee,
                TrusteeForm = TrusteeForm.TrusteeIsName,
                TrusteeType = TrusteeType.WellKnownGroup,
                ptstrName = (IntPtr) strAllAppPackagePtr,
            }
        };

        var explicitAccessList = new ExplicitAccess[] { explicitAccess };

        status = Pinvoke.SetEntriesInAcl(
            1, explicitAccessList, oldAcl, out newAcl);
        if (status != 0) {
            throw new InvalidOperationException($"Failed to set entries in ACL: {status}");
        }
    }
}

status = Pinvoke.SetNamedSecurityInfo(
    "\\\\.\\NUL", SeObjectType.FileObject,
    SecurityInformation.Dacl,
    IntPtr.Zero, IntPtr.Zero,
    newAcl, IntPtr.Zero);
if (status == 5) {
    // Access denied
    return 5;
} else if (status != 0) {
    throw new InvalidOperationException($"Failed to set security info: {status}");
}

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
inquiry Questions about the product
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@wfjsw @cchavez-msft